>Yes, I've been following it. I admire the simplicity of stopping the >attacks. In fact I may put in an IMGATE for this reason alone.
I've been enhancing IMGate in the past few weeks. Basically, I've been publishing scripts in the IMGate list that harvest the maillog files, hourly, daily, monthly for [EMAIL PROTECTED] and ip's that have repeatedly been rejected for one criteria and use the complementary information to build new filters. ie, if an IP repeatedly sends to dead email accounts, we know that's spam, so that ip is blocked. Dictionary spammers will typically open on SMTP session and then send one msgs to 25 to 50 [EMAIL PROTECTED] They will do this in the face a whole string of 5xx fatal reject msgs in that SMTP session. So IMGate now harvests and blocks the ip's who commit that "dictionary" behavior. This is harvesting is now done hourly, but I�m working on a script now that will run every 5 minutes, detect the above dictinary behavior, blacklist the ip, AND turn-on tarpitting for up to one hour (automatically renewable if the attack continues) so that after just 2 errors in an SMTP session, IMGate hangs up on the b@st@rd, forcing him to call back, which slows him down tremendously. >These dictionary attacks are becoming increasingly sophisticated, >frequent, and stealing lots of resources. yep, they are becoming quite horrendous size and frequency and driving a lot of people to use IMGate. Trying to fight off these attacks with mailbox server itself, even if it successful technically, is self-defeating because fighting the attack still consumes huge resources on the mailserver. Moving the defense forward to IMGate totally frees the mail server. We've always said IMGate runs fine on old P133 or P200 with 64 megs of RAM. This is still true for valid mail traffic, but the levels of abuse have risen so dramaticallly in 2002 that the additional volume of abuse means that IMGate is more comfortable fighting abuse on a .... P500. :)) The next phase of IMGate will be to take the war from the SMTP application level down to the tcp/ip protocol level where IMGate will automatically create packet filtering rules to reject stealthily any tcp connection attempts from blacklisted ips. IMGate SMTP processes won't see anything at all. And the level of bandwidth wasted on spammers will abosolutely minimized. btw, these new featues of IMGate are not in my the basic config that I give to anyone for the asking. The basic config has always and still does work very well for everybody who has tried it. But the advanced feature above have been published piece-meal in the IMGate list. And anybody who hires me to install IMGate will get the "advanced" features, with the packet filtering being an option. From what I see out there, having the mailbox server, the one your users are in contact with, run all its own anti-abuse defenses is becoming less and less tenable as the volume of attacks rises rapidly. Len __________________________________________________________________ www.menandmice.com/DNS-training : DNS Training BIND8NT.MEIway.com : ISC BIND for NT4 & W2K IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
